CN113923008A - Malicious website interception method, device, equipment and storage medium - Google Patents

Malicious website interception method, device, equipment and storage medium Download PDF

Info

Publication number
CN113923008A
CN113923008A CN202111162041.7A CN202111162041A CN113923008A CN 113923008 A CN113923008 A CN 113923008A CN 202111162041 A CN202111162041 A CN 202111162041A CN 113923008 A CN113923008 A CN 113923008A
Authority
CN
China
Prior art keywords
target
website
application program
domain name
dns query
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111162041.7A
Other languages
Chinese (zh)
Other versions
CN113923008B (en
Inventor
成少波
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhizhangyi Technology Co ltd
Original Assignee
Beijing Zhizhangyi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhizhangyi Technology Co ltd filed Critical Beijing Zhizhangyi Technology Co ltd
Priority to CN202111162041.7A priority Critical patent/CN113923008B/en
Priority claimed from CN202111162041.7A external-priority patent/CN113923008B/en
Publication of CN113923008A publication Critical patent/CN113923008A/en
Application granted granted Critical
Publication of CN113923008B publication Critical patent/CN113923008B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Abstract

The embodiment of the application discloses a malicious website intercepting method, a malicious website intercepting device, malicious website intercepting equipment and a malicious website intercepting storage medium, which are applied to a user terminal provided with a zero-trust application program, wherein the method comprises the following steps: responding to the access operation of a user to a target website in a target application program, and generating a target DNS query request; capturing the target DNS query request through an interception application program, and identifying whether the target website is an abnormal website according to the target DNS query request; controlling to display the webpage content corresponding to the target website in the target application program according to the identification result; by the technical scheme, the malicious website interception process is optimized, and the user experience is improved.

Description

Malicious website interception method, device, equipment and storage medium
Technical Field
The embodiment of the application relates to the technical field of networks, in particular to a malicious website intercepting method, device, equipment and storage medium.
Background
As network resources have exploded, the immense and complex nature of network resources has made management of network resources increasingly difficult. Today, the internet is flooded with a large number of malicious web sites containing illegal advertisements, virus programs, trojan horse programs, or the like.
In the prior art, an iOS (apple operating System) System generally realizes interception of a device-level malicious website through a mode of "client + domain name server". The specific implementation process comprises the following steps: in the client application, a network extension framework (a framework provided by an iOS system and used for configuring a virtual private network and customizing and extending a core network function) is used for registering a network extension plug-in, a device global request Domain Name Server is configured through NEDnsSettings in the network extension framework, all device DNS (Domain Name Server) query requests are guided to a remote Domain Name Server for processing, and the remote Domain Name Server intercepts and releases the DNS query requests according to preset interception rules.
However, in the process of realizing interception of a malicious website by the iOS system through a mode of "client + domain name server", the following problems exist: firstly, a domain name server with independent interception processing capacity must be deployed and maintained at a far end, and the actual use is complex; secondly, in a large number of device usage scenarios, high-concurrency requests may have concurrency problems, resulting in delayed responses and affecting user experience. Therefore, there is a need for improvement in view of the problems in the prior art.
Disclosure of Invention
The application provides a malicious website interception method, device, equipment and storage medium, so that a malicious website interception process is optimized, and user experience is improved.
In a first aspect, an embodiment of the present application provides a malicious website intercepting method, which is applied to a user terminal installed with an intercepting application program, and the method includes:
responding to the access operation of a user to a target website in a target application program, and generating a target DNS query request;
capturing the target DNS query request through an interception application program, and identifying whether the target website is an abnormal website according to the target DNS query request;
and controlling the webpage content corresponding to the target website to be displayed in the target application program according to the identification result.
In a second aspect, an embodiment of the present application provides a malicious website intercepting apparatus, configured in a user terminal installed with an intercepting application, and including:
the access request generation module is used for responding to the access operation of a user on a target website in a target application program and generating a target DNS query request;
the malicious website identification module is used for capturing the target DNS query request through an interception application program and identifying whether the target website is an abnormal website or not according to the target DNS query request;
and the control display module is used for controlling the display of the webpage content corresponding to the target website in the target application program according to the identification result.
In a third aspect, an embodiment of the present application further provides an electronic device, where the device includes:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement any one of the malicious website intercepting methods provided by the embodiments of the first aspect.
In a fourth aspect, an embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements any one of the malicious website intercepting methods provided in the embodiments of the first aspect.
The embodiment of the application is applied to a user terminal provided with an interception application program, and a target DNS query request is generated by responding to the access operation of a user to a target website in a target application program through the user terminal; capturing the target DNS query request through an interception application program, and identifying whether the target website is an abnormal website according to the target DNS query request; and controlling the webpage content corresponding to the target website to be displayed in the target application program according to the identification result. By the technical scheme, based on the interception application program pre-installed in the user terminal, whether the target website is an abnormal website is identified according to the target DNS query request, so that the identification of the abnormal website in the user terminal equipment is realized, and a domain name server with independent interception processing capability is not required to be deployed and maintained at a far end; meanwhile, the user terminal equipment can identify the abnormal website, so that delay response caused by concurrency problems due to the fact that a plurality of user terminal equipment simultaneously send intercepting processing requests to the far-end domain name server does not exist, the malicious website intercepting process is optimized, and user experience is improved.
Drawings
Fig. 1 is a flowchart of a malicious website intercepting method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a malicious website intercepting method according to a second embodiment of the present application;
fig. 3 is a flowchart of a malicious website intercepting method according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of an interception application provided in the third embodiment of the present application;
fig. 5 is a schematic diagram of a malicious website intercepting apparatus according to a fourth embodiment of the present disclosure;
fig. 6 is a schematic view of an electronic device provided in this application embodiment five.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be further noted that, for the convenience of description, only some of the structures related to the present application are shown in the drawings, not all of the structures.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the steps as a sequential process, many of the steps can be performed in parallel, concurrently or simultaneously. In addition, the order of the steps may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
Example one
Fig. 1 is a flowchart of a malicious website intercepting method according to an embodiment of the present disclosure. The method and the device for intercepting the malicious website are applicable to the situation of intercepting the malicious website in the user terminal. The method can be executed by a malicious website intercepting device, which is configured in a user terminal installed with an intercepting application program, can be realized by software and/or hardware, and is specifically configured in electronic equipment, which can be a mobile terminal or a fixed terminal.
Referring to fig. 1, the malicious website intercepting method provided in the embodiment of the present application is applied to a user terminal installed with an intercepting application, and includes:
s110, responding to the access operation of the user to the target website in the target application program, and generating a target DNS query request.
The target application may be a browser application in the user terminal or another application that may be used for loading a web page. According to the browsing requirements of the user, the user can input a target website in the target application program so as to load the target website corresponding to the target website.
In this embodiment, when a user triggers an access operation (e.g., a click operation) on a target website in a target application, a target DNS query request is generated, where the target DNS query request is used to determine an IP (Internet Protocol ) address of a web server where a web resource is located, and through the IP address of the web server, the user terminal may find the corresponding web server and obtain the web resource from the web server.
The target DNS query request includes information such as a target physical address, a source physical address, and a request domain name.
S120, capturing the target DNS query request through the intercepting application program, and identifying whether the target website is an abnormal website or not according to the target DNS query request.
The interception application program is developed based on an apple system NetworkExtension framework.
In this embodiment, the user terminal needs to install an interception application program in advance, where the interception application program is an application program with a specific function, and the interception application program can implement a function of identifying and judging whether the target website is an abnormal website according to the target DNS query request.
It should be noted that, when the application program is intercepted, the intercepted application program does not affect other network requests in the user terminal operating system, and both security and efficiency are taken into consideration.
And S130, controlling to display the webpage content corresponding to the target website in the target application program according to the identification result.
And the identification result comprises that the target website is an abnormal website and the target website is a normal website.
In this embodiment, when the target website is determined to be an abnormal website, the web content corresponding to the target website may not be displayed in the target application program, but other preset web content may be displayed; when the target website is determined to be a normal website, the webpage content corresponding to the target website can be displayed in the target application program.
It can be understood that the web page content is controlled and displayed according to the identification result, so that the interception of malicious websites is realized, and illegal websites (containing virus programs or trojan programs and the like) and operators hijack advertisements and the like are prevented and shielded.
The embodiment of the application is applied to a user terminal provided with an interception application program, and a target DNS query request is generated by responding to the access operation of a user to a target website in a target application program through the user terminal; capturing the target DNS query request through an interception application program, and identifying whether the target website is an abnormal website according to the target DNS query request; and controlling the webpage content corresponding to the target website to be displayed in the target application program according to the identification result. By the technical scheme, based on the interception application program pre-installed in the user terminal, whether the target website is an abnormal website is identified according to the target DNS query request, so that the identification of the abnormal website in the user terminal equipment is realized, and a domain name server with independent interception processing capability is not required to be deployed and maintained at a far end; meanwhile, the user terminal equipment can identify the abnormal website, so that delay response caused by concurrency problems due to the fact that a plurality of user terminal equipment simultaneously send intercepting processing requests to the far-end domain name server does not exist, the malicious website intercepting process is optimized, and user experience is improved.
Example two
Fig. 2 is a flowchart of a malicious website intercepting method according to a second embodiment of the present application, which is an optimization of the foregoing scheme based on the foregoing embodiment.
Further, the operation of capturing the target DNS query request by the intercepting application and identifying whether the target web address is an abnormal web address according to the target DNS query request is refined into the operation of capturing the target DNS query request by the intercepting application and analyzing a request IP packet in the target DNS query request to obtain a target domain name of the target web address; and identifying whether the target website is an abnormal website or not according to the target domain name through the interception application program so as to perfect the identification process of the abnormal website.
Wherein explanations of the same or corresponding terms as those of the above-described embodiments are omitted.
Referring to fig. 2, the malicious website intercepting method provided in this embodiment includes:
s210, responding to the access operation of the user to the target website in the target application program, and generating a target DNS query request.
S220, capturing the target DNS query request through the intercepting application program, and analyzing a request IP packet in the target DNS query request to obtain a target domain name of the target website.
The request IP packet refers to a data packet including domain name information.
Generally, a target DNS query includes a plurality of bytes of information, and the target domain name of the target website can be resolved by resolving the bytes of information at a fixed location in the DNS query. Wherein, the fixed location is also the location of the request IP packet.
For example, assume that a certain target DNS query request includes the following byte information "21 FE0100000100000000000003777777036368640365647502636E 0000010001", where the byte information "03777777036368640365647502636E 00" indicates that the target domain name is "www.chd.edu.cn" as seen from the ASCII code lookup table.
Optionally, a control instruction is generated in response to a plug-in control operation of a user through a plug-in control module in the interception application program; and if the control instruction is an opening instruction, triggering and executing the capturing operation of the target DNS query request.
In this embodiment, the plug-in control operation may be implemented based on a control button in the user interface of the interception application program, and when the control button is in an open state, an open instruction may be generated; when the control button is in the off state, a turn-off command may be generated. And if the control instruction is a closing instruction, the capturing operation of the target DNS query request cannot be triggered to be executed.
It can be understood that the control capture operation of the target DNS query request can be realized based on the plug-in control module in the interception application program, which is more intelligent and convenient for the user to manage.
Optionally, the capturing, by the intercepting application, the target DNS query request, and analyzing a request IP packet in the target DNS query request to obtain a target domain name of the target website includes: the target DNS query request is guided to a preset virtual network card through a plug-in setting module in the interception application program; forwarding a request IP packet in the target DNS query request to an IP packet processing module of the intercepting application program through the preset virtual network card; and obtaining the target domain name by analyzing the request IP packet.
Specifically, the steering the target DNS query request to a preset virtual network card by a plug-in setting module in the interception application includes: configuring a domain name server for specifying a virtual IP (e.g., 10.0.0.0) address via a servers field in a NEDNSSettings class, setting a DNS query request to all drainage via a matchDomains field in the NEDNSSettings class, and setting the virtual IP address into a drainage address list via a NEIPv4Settings class.
In this embodiment, based on a network extension framework provided by the iOS system, the DNS query request of the terminal system can be directed to the specified virtual IP address, the IP network traffic is directed to the IP packet processing module, and the request IP packet in the target DNS query request is resolved in the IP packet processing module to obtain the target domain name of the target website.
It can be understood that, by intercepting the IP packet processing module of the application program, the IP packet in the DNS query request is intelligently and directionally resolved, the target domain name of the target website is effectively identified, and a data basis can be provided for subsequently determining whether the target domain name is an abnormal website.
And S230, identifying whether the target website is an abnormal website or not according to the target domain name by intercepting the application program.
In this embodiment, whether the target website is an abnormal website may be identified by the intercepting application itself according to the target domain name.
Of course, it may also be possible to identify whether the target website is an abnormal website by a module having a specific identification function in the interception application according to the target domain name.
Optionally, the identifying, by the intercepting application program, whether the target website is an abnormal website according to the target domain name includes: and identifying whether the target website is an abnormal website or not based on the target domain name and a preset abnormal website domain name list through a rule filtering module in the interception application program.
The rule filtering module stores a preset abnormal website domain name list, and the preset abnormal website domain name list comprises a malicious domain name corresponding to a predetermined malicious website.
It can be understood that, by developing the interception application according to different functional modules, management and maintenance of the functional modules in the interception application can be facilitated.
Optionally, the preset abnormal website domain name list is generated in response to a rule setting operation of a user through a rule obtaining module in the interception application program.
Specifically, the user can perform rule setting operation in the interception application program, and also can transmit the rule setting operation to the interception application program through remote server operation, so as to generate the preset abnormal website domain name list.
It can be understood that the updating and perfecting of the preset abnormal website domain name list according to actual requirements can be realized by responding to the rule setting operation of the user, and the accuracy and comprehensiveness of the preset abnormal website domain name list are ensured.
Optionally, the identifying, by the rule filtering module in the interception application program, whether the target website is an abnormal website based on the target domain name and a preset abnormal website domain name list includes: matching the target domain name with each malicious domain name in the preset abnormal website domain name list by adopting a preset domain name matching algorithm based on a rule filtering module in the interception network plug-in; and if the malicious domain name is successfully matched with the target domain name in the preset abnormal website domain name list, determining that the target website is an abnormal website.
The preset domain name matching algorithm may be an exact domain name matching algorithm and/or a wildcard domain name matching algorithm. The successful matching may be that the matching degree of the malicious domain name and the target domain name reaches a preset matching degree threshold, such as 99%.
In this embodiment, a suitable domain name matching algorithm may be selected according to actual requirements, and of course, the matching result may also be determined based on two different types of domain name matching algorithms.
For example, exact domain name matching may be based on a full match of the target domain name, such as matching with "www.baidu.com"; wildcard domain matching can be based on partial content of the target domain, as can be done with ". baidu.com".
In this embodiment, the rule matching of the malicious website is performed in the rule filtering module, and the interception of the malicious website and the release of the normal request are performed according to the matching result.
It can be understood that, under the condition that the target website is determined to be an abnormal website, the target website can be intercepted, so that a malicious website containing illegal advertisements, virus programs or trojan programs is loaded in a target application program of the user terminal, and the threat to the user terminal is avoided.
And S240, controlling to display the webpage content corresponding to the target website in the target application program according to the identification result.
On the basis of the embodiment, the identification process of the abnormal website is perfected, the target DNS query request is captured through the intercepting application program, and the request IP packet in the target DNS query request is analyzed to obtain the target domain name of the target website; and identifying whether the target website is an abnormal website or not according to the target domain name through the interception application program. By the technical scheme, based on the interception application program pre-installed in the user terminal, whether the target website is an abnormal website is accurately identified according to the determined target domain name of the target website, so that the identification of the abnormal website in the user terminal equipment is realized, and a domain name server with independent interception processing capability does not need to be deployed and maintained at a far end; meanwhile, the user terminal equipment can identify the abnormal website, so that delay response caused by concurrency problems due to the fact that a plurality of user terminal equipment simultaneously send intercepting processing requests to the far-end domain name server does not exist, the malicious website intercepting process is optimized, and user experience is improved.
EXAMPLE III
Fig. 3 is a flowchart of a malicious website intercepting method according to a third embodiment of the present application, which is an optimization of the foregoing scheme based on the foregoing embodiment.
Further, the operation of controlling the webpage content corresponding to the target website displayed in the target application program according to the identification result is refined into the operation of determining a response IP packet of the content to be displayed according to the identification result; and sending the response IP packet to an operating system, and feeding back the response IP packet to the target application program through the operating system for displaying the content to be displayed so as to perfect the control display process of the webpage content corresponding to the target website.
Wherein explanations of the same or corresponding terms as those of the above-described embodiments are omitted.
Referring to fig. 3, the malicious website intercepting method provided in this embodiment includes:
s310, responding to the access operation of the user to the target website in the target application program, and generating a target DNS query request.
S320, capturing the target DNS query request through the intercepting application program, and identifying whether the target website is an abnormal website or not according to the target DNS query request.
S330, determining a response IP packet of the content to be displayed according to the identification result.
The response IP packet of the content to be displayed comprises the IP address of the webpage server, and after the IP address of the webpage server is determined, the page resource can be obtained from the webpage server and used for rendering the display page.
In this embodiment, based on different recognition results (including an abnormal website and a normal website) of the target website, different response IP packets may be obtained correspondingly.
Optionally, the determining, according to the identification result, a response IP packet of the content to be displayed includes: if the target website is identified to be an abnormal website, determining the response IP packet according to the IP address of a preset alarm page; and if the target website is identified as a normal website, determining the response IP packet according to the target DNS query request and the current domain name server.
Specifically, under the condition that the target website is confirmed to be an abnormal website, the response IP packet may be constructed according to the IP address of the preset alarm page, and the web page resource may be acquired from the pre-designated web server through the IP address of the preset alarm page in the response packet, so as to display the alarm page, where the content of the alarm page may be "there is a danger in the target website you visit |)! "+" target web site "; under the condition that the target website is determined to be a normal website, the IP address corresponding to the target DNS query request can be determined through a domain name resolution mode based on the current domain name server, and a response IP packet is constructed.
The current domain name server comprises a distributed database in which domain names and IP addresses are mapped with each other. The current domain name server can receive the target DNS query request and feed back an IP address corresponding to the target DNS query request.
It can be understood that, in order to implement intelligent visual management on page content, different response IP packets may be constructed according to different recognition results of a target website.
Optionally, when it is monitored that the current network of the user terminal changes, the latest domain name server corresponding to the user terminal is determined based on the intercepting application, and the current domain name server is updated based on the latest domain name server.
The latest domain name server is also the latest domain name server address, and the current domain name server is also the current domain name server address.
Specifically, intercepting application registers device network state monitoring, and when monitoring that the network of the user terminal device sends a change, if the network of the user terminal device is switched from an operator network to a Wi-Fi (Wireless Fidelity) network, the intercepting application may call res _ init () function and res _ getservers () function to obtain the latest domain name server (i.e. the address of the domain name server) of the terminal device, and update the current domain name server based on the latest domain name server.
It can be understood that when the current network of the user terminal changes, the domain name server address of the terminal device changes, and the domain name server address is dynamically monitored, so that the successful resolution of the domain name can be ensured, and the domain name resolution error can be avoided.
Optionally, the determining the response IP packet according to the IP address of the preset alarm page includes: replacing the target domain name in the request IP packet with the domain name corresponding to the IP address of the preset alarm page through an IP packet processing module in the interception application program, and determining the response IP packet.
Specifically, after the target domain name in the request IP packet is replaced, a DNS query request may be constructed based on the request packet, an IP address corresponding to the DNS query request is determined, and a response IP packet is constructed according to the IP address.
Optionally, the determining the response IP packet according to the target DNS query request and the current domain name server includes: and inquiring the IP address corresponding to the target website from the current domain name server through a DNS proxy module in the intercepting application program according to the target DNS inquiry request, and determining the response IP packet according to the IP address corresponding to the target website.
Specifically, the DNS proxy module in the interception application may send a DNS query request to the obtained current domain name server of the terminal device, and may return a DNS query result to the interception application when the DNS query is successful.
In some embodiments, the DNS proxy module performs the domain name query as follows: according to a target DNS query request, sending a domain name query request to a current domain name server of a system by using a UDP (User Datagram Protocol); monitoring the response of the current domain name server, and if receiving a domain name query result, assembling a response IP packet according to the request IP packet and the response data packet; writing the assembled response IP packet into a virtual network card file handle; the virtual network card returns data to a terminal system target DNS query request response; the terminal system receives a target DNS query request response and returns a query result to a target application program (such as a browser); and the target application program acquires the webpage resources required to be viewed according to the acquired IP address.
In this embodiment, the interception application program is divided into independent functional modules (including a DNS proxy module, an IP packet processing module, and the like), and each functional module independently implements a specific function, so that management can be facilitated, and function debugging and upgrading of each independent module are facilitated.
Referring to fig. 4, an exemplary structure diagram of an interception application is shown, where the interception application is composed of an application layer and a plug-in layer, the application layer includes a rule obtaining module and a plug-in control module, and the plug-in layer includes a plug-in setting module, an IP packet processing module, a rule filtering module, and a DNS proxy module. The application layer and the plug-in layer can perform data interaction according to actual requirements.
And S340, sending the response IP packet to the operating system, and feeding back the response IP packet to the target application program through the operating system for displaying the content to be displayed.
Specifically, after the operating system of the user terminal obtains the response packet, the response IP packet can be fed back to the target application program through the operating system; after receiving the response packet, the target application program can acquire the page resource from the corresponding web server according to the IP address in the response IP packet, and perform rendering display of the content to be displayed according to the page resource.
On the basis of the embodiment, the control display process of the webpage content corresponding to the target website is perfected, and the response IP packet of the content to be displayed is determined according to the identification result; and sending the response IP packet to an operating system, and feeding back the response IP packet to the target application program through the operating system for displaying the content to be displayed. By the technical scheme, different response IP packets are constructed according to different identification results of the target website, the content to be displayed is rendered and displayed according to the corresponding response IP packets, the alarm page is displayed if the content is a malicious website, and the normal access can be realized if the content is a normal website, so that the intelligent visual management of the page content is realized, the interception process of the malicious website is optimized, and the user experience is improved.
Example four
Fig. 5 is a schematic structural diagram of a malicious website intercepting apparatus according to a fourth embodiment of the present disclosure. Referring to fig. 5, an apparatus for intercepting a malicious website according to an embodiment of the present application is configured in a user terminal installed with an interception application, and the apparatus includes: an access request generation module 410, a malicious website identification module 420, and a control presentation module 430.
An access request generating module 410, configured to generate a target DNS query request in response to an access operation of a user to a target website in a target application;
a malicious website identification module 420, configured to capture the target DNS query request by an interception application, and identify whether the target website is an abnormal website according to the target DNS query request;
and a control display module 430, configured to control to display, according to the identification result, the web content corresponding to the target website in the target application.
The embodiment of the application is applied to a user terminal provided with an interception application program, and a target DNS query request is generated by responding to the access operation of a user to a target website in a target application program through the user terminal; capturing the target DNS query request through an interception application program, and identifying whether the target website is an abnormal website according to the target DNS query request; and controlling the webpage content corresponding to the target website to be displayed in the target application program according to the identification result. By the technical scheme, based on the interception application program pre-installed in the user terminal, whether the target website is an abnormal website is identified according to the target DNS query request, so that the identification of the abnormal website in the user terminal equipment is realized, and a domain name server with independent interception processing capability is not required to be deployed and maintained at a far end; meanwhile, the user terminal equipment can identify the abnormal website, so that delay response caused by concurrency problems due to the fact that a plurality of user terminal equipment simultaneously send intercepting processing requests to the far-end domain name server does not exist, the malicious website intercepting process is optimized, and user experience is improved.
Further, the malicious website identification module 420 includes:
the domain name resolution submodule is used for capturing the target DNS query request through the intercepting application program and resolving a request IP packet in the target DNS query request to obtain a target domain name of the target website;
and the abnormal website identification submodule is used for identifying whether the target website is an abnormal website or not according to the target domain name through the interception application program.
Further, the domain name resolution sub-module includes:
the request diversion unit is used for diverting the target DNS query request to a preset virtual network card through a plug-in setting module in the interception application program;
the request forwarding unit is used for forwarding a request IP packet in the target DNS query request to the IP packet processing module of the intercepting application program through the preset virtual network card;
and the domain name analyzing unit is used for analyzing the request IP packet through the IP packet processing module to obtain the target domain name.
Further, the abnormal website identification submodule includes:
and the abnormal website identification unit is used for identifying whether the target website is an abnormal website or not based on the target domain name and a preset abnormal website domain name list through a rule filtering module in the interception application program.
Further, the apparatus further comprises:
and the abnormal website list generating unit is used for responding to the rule setting operation of a user through a rule obtaining module in the interception application program and generating the preset abnormal website domain name list.
Further, the apparatus further comprises:
the control instruction generation submodule is used for responding to the plug-in control operation of a user through a plug-in control module in the interception application program and generating a control instruction;
and the capture operation triggering sub-module is used for triggering and executing the capture operation of the target DNS query request if the control instruction is an opening instruction.
Further, the control display module 430 includes:
the response packet determining submodule is used for determining a response IP packet of the content to be displayed according to the identification result;
and the control display sub-module is used for sending the response IP packet to an operating system, feeding back the response IP packet to the target application program through the operating system and displaying the content to be displayed.
Further, the response packet determination submodule includes:
an alarm response packet determining unit, configured to determine the response IP packet according to an IP address of a preset alarm page if the target website is identified as an abnormal website;
and the normal response packet determining unit is used for determining the response IP packet according to the target DNS query request and the current domain name server if the target website is identified as the normal website.
Further, the apparatus further comprises:
and the domain name server updating unit is used for determining the latest domain name server corresponding to the user terminal based on the interception application program when the current network of the user terminal is monitored to be changed, and updating the current domain name server based on the latest domain name server.
Further, the alarm response packet determining unit includes:
and the alarm response packet determining subunit is configured to replace the target domain name in the request IP packet with the domain name corresponding to the IP address of the preset alarm page through an IP packet processing module in the interception application program, and determine the response IP packet.
Further, the normal response packet determining unit includes:
and the normal response packet determining subunit is configured to query, by using the DNS proxy module in the interception application program, the IP address corresponding to the target website from the current domain name server according to the target DNS query request, and determine the response IP packet according to the IP address corresponding to the target website.
The malicious website intercepting device provided by the embodiment of the application can execute the malicious website intercepting method provided by any embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 6 is a structural diagram of an electronic device according to a fifth embodiment of the present application. FIG. 6 illustrates a block diagram of an exemplary electronic device 512 suitable for use in implementing embodiments of the present application. The electronic device 512 shown in fig. 6 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 6, the electronic device 512 is in the form of a general purpose computing device. Components of the electronic device 512 may include, but are not limited to: one or more processors or processing units 516, a system memory 528, and a bus 518 that couples the various system components including the system memory 528 and the processing unit 516.
Bus 518 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Electronic device 512 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by electronic device 512 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 528 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)530 and/or cache memory 532. The electronic device 512 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 534 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 6, and commonly referred to as a "hard drive"). Although not shown in FIG. 6, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 518 through one or more data media interfaces. System memory 528 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the application.
A program/utility 540 having a set (at least one) of program modules 542 may be stored, for example, in system memory 528, such program modules 542 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. The program modules 542 generally perform the functions and/or methods of the embodiments described herein.
The electronic device 512 may also communicate with one or more external devices 514 (e.g., keyboard, pointing device, display 524, etc.), with one or more devices that enable a user to interact with the electronic device 512, and/or with any devices (e.g., network card, modem, etc.) that enable the electronic device 512 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 522. Also, the electronic device 512 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 520. As shown, the network adapter 520 communicates with the other modules of the electronic device 512 via the bus 518. It should be appreciated that although not shown in FIG. 6, other hardware and/or software modules may be used in conjunction with the electronic device 512, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 516 executes various functional applications and data processing by running at least one of other programs in the plurality of programs stored in the system memory 528, for example, to implement any one of the malicious website intercepting methods provided in the embodiments of the present application.
EXAMPLE six
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the method for intercepting a malicious website is implemented, where the method is applied to a user terminal installed with an interception application program, where the method includes: responding to the access operation of a user to a target website in a target application program, and generating a target DNS query request; capturing the target DNS query request through an interception application program, and identifying whether the target website is an abnormal website according to the target DNS query request; and controlling the webpage content corresponding to the target website to be displayed in the target application program according to the identification result.
From the above description of the embodiments, it is obvious for those skilled in the art that the present application can be implemented by software and necessary general hardware, and certainly can be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods described in the embodiments of the present application.
It should be noted that, in the embodiment of the malicious website intercepting apparatus, each unit and each module included in the embodiment are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only used for distinguishing one functional unit from another, and are not used for limiting the protection scope of the application.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present application and the technical principles employed. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the application. Therefore, although the present application has been described in more detail with reference to the above embodiments, the present application is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present application, and the scope of the present application is determined by the scope of the appended claims.

Claims (12)

1. A malicious website interception method is applied to a user terminal provided with an interception application program, and comprises the following steps:
responding to the access operation of a user to a target website in a target application program, and generating a target DNS query request;
capturing the target DNS query request through an interception application program, and identifying whether the target website is an abnormal website according to the target DNS query request;
and controlling the webpage content corresponding to the target website to be displayed in the target application program according to the identification result.
2. The method of claim 1, wherein capturing the target DNS query request by an intercepting application and identifying whether the target web address is an abnormal web address according to the target DNS query request comprises:
capturing the target DNS query request through the intercepting application program, and analyzing a request IP packet in the target DNS query request to obtain a target domain name of the target website;
and identifying whether the target website is an abnormal website or not according to the target domain name through the interception application program.
3. The method according to claim 2, wherein the capturing, by the intercepting application, the target DNS query request and parsing a request IP packet in the target DNS query request to obtain a target domain name of the target web address comprises:
the target DNS query request is guided to a preset virtual network card through a plug-in setting module in the interception application program;
forwarding a request IP packet in the target DNS query request to an IP packet processing module of the intercepting application program through the preset virtual network card;
and analyzing the request IP packet through the IP packet processing module to obtain the target domain name.
4. The method of claim 2, wherein the identifying, by the intercepting application, whether the target website is an abnormal website according to the target domain name comprises:
and identifying whether the target website is an abnormal website or not based on the target domain name and a preset abnormal website domain name list through a rule filtering module in the interception application program.
5. The method of claim 4, further comprising:
and responding to the rule setting operation of a user through a rule acquisition module in the interception application program, and generating the preset abnormal website domain name list.
6. The method of claim 2, further comprising:
responding to the plug-in control operation of a user through a plug-in control module in the interception application program to generate a control instruction;
and if the control instruction is an opening instruction, triggering and executing the capturing operation of the target DNS query request.
7. The method according to any one of claims 1 to 4, wherein the controlling of the presentation of the web content corresponding to the target website in the target application according to the recognition result comprises:
determining a response IP packet of the content to be displayed according to the identification result;
and sending the response IP packet to an operating system, and feeding back the response IP packet to the target application program through the operating system for displaying the content to be displayed.
8. The method according to claim 7, wherein the determining the response IP packet of the content to be displayed according to the identification result comprises:
if the target website is identified to be an abnormal website, determining the response IP packet according to the IP address of a preset alarm page;
and if the target website is identified as a normal website, determining the response IP packet according to the target DNS query request and the current domain name server.
9. The method of claim 8, further comprising:
when the current network of the user terminal is monitored to be changed, determining a latest domain name server corresponding to the user terminal based on the interception application program, and updating the current domain name server based on the latest domain name server.
10. A malicious website intercepting device, which is configured in a user terminal installed with an intercepting application program, comprises:
the access request generation module is used for responding to the access operation of a user on a target website in a target application program and generating a target DNS query request;
the malicious website identification module is used for capturing the target DNS query request through an interception application program and identifying whether the target website is an abnormal website or not according to the target DNS query request;
and the control display module is used for controlling the display of the webpage content corresponding to the target website in the target application program according to the identification result.
11. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a malicious website intercepting method according to any one of claims 1-9.
12. A computer-readable storage medium having stored thereon a computer program, which when executed by a processor implements a malicious web site interception method according to any one of claims 1 to 9.
CN202111162041.7A 2021-09-30 Malicious website interception method, device, equipment and storage medium Active CN113923008B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111162041.7A CN113923008B (en) 2021-09-30 Malicious website interception method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111162041.7A CN113923008B (en) 2021-09-30 Malicious website interception method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113923008A true CN113923008A (en) 2022-01-11
CN113923008B CN113923008B (en) 2024-04-26

Family

ID=

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114520766A (en) * 2022-04-21 2022-05-20 博为科技有限公司 Networking control method of router and related equipment
CN115883220A (en) * 2022-12-05 2023-03-31 深圳安巽科技有限公司 Website security access method, system and storage medium based on router

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932356A (en) * 2012-11-07 2013-02-13 北京奇虎科技有限公司 Malicious website intercepting method and device in multi-core browser
CN102930211A (en) * 2012-11-07 2013-02-13 北京奇虎科技有限公司 Method for intercepting malicious URLs in multi-kernel browser and multi-kernel browser
CN105574146A (en) * 2015-12-15 2016-05-11 北京奇虎科技有限公司 Website intercepting method and device
US20160294862A1 (en) * 2014-01-03 2016-10-06 Tencent Technology (Shenzhen) Company Limited Malicious website address prompt method and router
CN106936791A (en) * 2015-12-31 2017-07-07 阿里巴巴集团控股有限公司 Intercept the method and apparatus that malice network address is accessed
CN108282441A (en) * 2017-01-05 2018-07-13 中国移动通信集团辽宁有限公司 Ad blocking method and device
US20180300475A1 (en) * 2017-04-14 2018-10-18 Alibaba Group Holding Limited Method, means, system, processor, and memory for intercepting malicious websites
CN109471992A (en) * 2018-11-19 2019-03-15 万兴科技股份有限公司 Webpage hold-up interception method, device, computer equipment and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932356A (en) * 2012-11-07 2013-02-13 北京奇虎科技有限公司 Malicious website intercepting method and device in multi-core browser
CN102930211A (en) * 2012-11-07 2013-02-13 北京奇虎科技有限公司 Method for intercepting malicious URLs in multi-kernel browser and multi-kernel browser
US20160294862A1 (en) * 2014-01-03 2016-10-06 Tencent Technology (Shenzhen) Company Limited Malicious website address prompt method and router
CN105574146A (en) * 2015-12-15 2016-05-11 北京奇虎科技有限公司 Website intercepting method and device
CN106936791A (en) * 2015-12-31 2017-07-07 阿里巴巴集团控股有限公司 Intercept the method and apparatus that malice network address is accessed
CN108282441A (en) * 2017-01-05 2018-07-13 中国移动通信集团辽宁有限公司 Ad blocking method and device
US20180300475A1 (en) * 2017-04-14 2018-10-18 Alibaba Group Holding Limited Method, means, system, processor, and memory for intercepting malicious websites
CN108737327A (en) * 2017-04-14 2018-11-02 阿里巴巴集团控股有限公司 Intercept method, apparatus, system, processor and the memory of malicious websites
CN109471992A (en) * 2018-11-19 2019-03-15 万兴科技股份有限公司 Webpage hold-up interception method, device, computer equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114520766A (en) * 2022-04-21 2022-05-20 博为科技有限公司 Networking control method of router and related equipment
CN115883220A (en) * 2022-12-05 2023-03-31 深圳安巽科技有限公司 Website security access method, system and storage medium based on router

Similar Documents

Publication Publication Date Title
CN110062043B (en) Service management method, service management device, storage medium, and electronic device
US10567841B2 (en) Information interception processing method, terminal, and computer storage medium
CN110636115B (en) Cross-cloud service calling processing method, gateway server and requester server
CN110602270B (en) Domain name resolution method and device, computer equipment and storage medium
CN107635027B (en) Domain name resolution method, medium, device and computing equipment
CN110224996A (en) Network Access Method, device, computer equipment and the storage medium of application program
CN108259425A (en) The determining method, apparatus and server of query-attack
CN107135249B (en) Data downloading method and device
CN113141405B (en) Service access method, middleware system, electronic device, and storage medium
CN109302437B (en) Method and device for redirecting website
US10067862B2 (en) Tracking asynchronous entry points for an application
WO2020088170A1 (en) Domain name system configuration method and related apparatus
CN113992382B (en) Service data processing method and device, electronic equipment and storage medium
CN109286684B (en) Communication connection processing method and device, proxy server and storage medium
CN113873057A (en) Data processing method and device
CN113923008B (en) Malicious website interception method, device, equipment and storage medium
CN114301872B (en) Domain name based access method and device, electronic equipment and storage medium
CN106060124A (en) Application program downloading method and mobile terminal
CN113923008A (en) Malicious website interception method, device, equipment and storage medium
US20220124069A1 (en) Cyber security protection system and related proactive suspicious domain alert system
CN113259386A (en) Malicious request intercepting method and device and computer equipment
CN110572375B (en) IP address proxy method and device
CN115174367B (en) Service system boundary determining method and device, electronic equipment and storage medium
CN108667769B (en) Domain name tracing method and device
CN110557465A (en) method and device for acquiring IP address of user side

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant